Azure Tenant

Overview

This section contains information describing the process for setting up Core to Microsoft Azure Tenant.

A growing number of organizations are using Microsoft's productivity apps on mobile devices, such as Microsoft 365, OneDrive, etc. These kind of deployments give device users access to their organization's resources using various devices and apps from anywhere and using only their credentials. If the credentials get compromised, any unauthorized person can also login and get complete access to the organization's data. Just focusing on who can access the organization's resources is no longer sufficient; IT administrators must know how and from which device the organization's resource is accessed from. They have to make sure that data is accessed from the devices that meets the corporate compliance policy and have these corporate policies on each and every device. Administrators should also be able to block access to unauthorized devices by defining conditional access policies.

Using Microsoft's Intune device compliance APIs allow organizations to update the device compliance status in the Microsoft Azure Active Directory (AAD.) Using conditional access from AAD, if the device is non-compliant, administrators can block the device from accessing apps. By connecting Core to the AAD, administrators will be able to use the device compliance status of Core's managed devices for conditional access to Microsoft 365 apps.

Requirements

Microsoft

Core customers must have a valid subscription to Microsoft Intune and assign a Microsoft Intune license to device users supported by this integration.

For Microsoft licensing for Microsoft 365 App services, please see:

https://www.microsoft.com/en-us/microsoft-365/enterprise/compare-office-365-plans

Core

  • Core - Administrators will need Core version 11.0.0.0 or supported newer versions.

    • For instructions on how to set up Android Enterprise, see the Core Device Management Guide for Android and Android Enterprise Devices.

If you do not have a link to your Core instance, contact your Ivanti Customer Success Manager.

  • Mobile@Work for iOS (client) – version 12.0 or supported newer versions.

Supported OS versions

  • iOS 12.0 or supported newer versions

The Microsoft website states:

  • Office for iPad® and iPhone® (including Outlook for iOS) is supported on the two most recent versions of iOS and iPadOS. When a new version of iOS or iPadOS is released, the Office Operating System requirement becomes the two most recent versions: the new version of iOS or iPadOS and the previous version.

  • For more information on supported OS versions, see https://www.microsoft.com/en-in/microsoft-365/microsoft-365-and-office-resources?rtc=1#coreui-heading-3b8v07b

Unsupported OS versions

Behavior if unsupported device OS versions is used:

  • For unsupported version iOS 11.4, the device user can complete the device registration for AAD and the device details are successfully uploaded to the Azure portal. However, Microsoft Apps (for example, Outlook, Excel, Word and OneDrive) are not available in the App Store for the unsupported version.

Multiple Core support

If you have multiple Cores connected to the same Azure tenant, you should not disconnect from a single Core from Azure tenant. Your options are:

  • Disconnect from all Cores

  • Disable compliance policy for AAD compliance integration from a specific (single) Core so that it does not upload device data to Azure

Be sure to disable the compliance policy prior to disconnecting Core.

Technical support

For additional help with this feature, contact Ivanti Technical Support.

From the Core administrator's point of view

Below lists the process from the Core administrator's perspective.

  1. Administrator applies Intune licenses to device users. See Apply the Intune license to device users.

  2. Administrator logs into Azure Portal.
  4. Administrator adds Core as an Azure compliance partner. See Adding Core as a compliance partner.
  6. Administrator creates the Conditional Access policy for the apps. See Creating a conditional access policy in Microsoft Endpoint Manager.
  8. Administrator sets up the connection between Core and Azure. This allows client devices to report compliance status to Azure. See Connecting Microsoft Azure to Core.

  9. Administrator creates the device compliance policy in Core. See Creating a partner device compliance policy.

  10. When the device checks in, the device compliance status is sent to the Azure portal.

  11. The Conditional Access policy goes into effect. Depending upon whether the device is compliant or not, the access to the app(s) is granted or denied.

  12. Administrator can disconnect from Azure. See De-provisioning of the Azure tenant.

Ivanti recommends the administrator run tests on each and every Microsoft app: Outlook, Word, Excel, Powerpoint, OneDrive, etc.

From the device user's point of view

Below lists the process from the device user's perspective.

  1. Device user's device is enrolled with Mobile@Work. See Installing Mobile@Work for iOS and Android.

  2. Log into the AAD account. This requires the Authenticator app to be installed on the device (see Required client device user action and use cases.)

    • If Authenticator is available on device, device user logs into AAD account using their Microsoft credentials.

    • If Authenticator is not installed on the device, device user is guided to install the Authenticator and then log in using their Microsoft credentials.

Note the following:

  • If the device is compliant, device user can access Microsoft 365 apps.

  • If the device is not compliant, an error displays stating the app cannot be opened.

Next steps 

Apply the Intune license to device users